Swipe, Track, Repeat:

TikTok’s Cross-App Tracking Scandal and the Fault Lines in U.S. Privacy Protection

In the ever-evolving digital landscape, where apps know more about us than most friends or family members, a new privacy storm has erupted. On December 17, 2025, Reuters reported that a European privacy advocacy group called None of Your Business (noyb) has filed formal complaints alleging that TikTok monitored a user’s activity on the dating app Grindr — not through anything visible or overt in the TikTok app itself, but via a third-party data intermediary known as AppsFlyer.

According to the complaint, TikTok received information not just about the user’s use of Grindr — a platform widely used by LGBTQ+ communities — but also other apps including LinkedIn and even items placed in an online shopping cart. Crucially, none of this occurred with valid, explicit consent from the user.

The transfers were revealed only after the user exercised their rights under European data access laws and, even then, only after repeated requests. It’s not just awkward — for many users, this represents a deep intrusion into personal life and identity.

What the Complaint Says — Cut to the Core

In its filings with Austrian regulators, noyb alleges:

• Unauthorized data sharing: TikTok obtained detailed data from other apps via AppsFlyer without a valid legal basis under European law. noyb.eu
• Sensitive information exposure: Data potentially revealing a person’s sexual orientation is flagged as especially sensitive under the EU’s General Data Protection Regulation (GDPR). noyb.eu
• Transparency failure: TikTok allegedly withheld full details about how this data was collected and used until pressed — a direct breach of GDPR’s transparency requirements. noyb.eu
• Use of data for ads and analytics: The complaint notes TikTok used the data for personalized advertising, analytics and other purposes. Reuters

While these allegations are lodged under EU law, they shine a spotlight on practices that are just as relevant — and potentially dangerous — for users in the United States.

So Why Should Americans Care?

1. U.S. Privacy Law Is Weak in Comparison

In Europe, GDPR imposes strict limits on sharing sensitive personal data — especially without explicit consent. That law prescribes heavy fines and requires transparency. In the U.S., by contrast, there is no comprehensive federal privacy statute that offers the same level of protection for ordinary citizens across all apps and services. Many companies exploit this gap.

Right now, U.S. laws governing data collection are a patchwork — some industry-specific (like COPPA for children’s data), some left to states (like California’s CCPA). But there’s no federal equivalent to GDPR that universally governs how a social app shares cross-platform behavioral data. That means a TikTok could, in theory, collect vast amounts of intimate behavioural information with little oversight.

2. Sensitive Personal Data Isn’t Just Metadata

Tracking what video you watch is one thing. Tracking what dating app you use and how you swipe? That’s personal. Combine that with buying habits, professional networking activity or other app usage, and a detailed psychological portrait begins to form without your knowledge.

For groups historically subject to discrimination or harassment — such as LGBTQ+ communities — revealing sexual orientation, dating habits, or personal life context to a massive commercial platform is not a trivial risk. It’s potentially harmful.

3. Consent Was Optional — and Hidden

If a platform tracks your movements inside its own app, the industry justifies this with vague, buried privacy policy clauses. Cross-app tracking — especially when data is shared through analytics companies like AppsFlyer — is frequently obscured in technical language or never presented clearly at all. No one intuitively understands these mechanisms — and most people don’t realize they can opt out.

Europe’s GDPR gives users the right to see what is collected and demand it be stopped. That wasn’t honored here, according to noyb — which is why regulators are now being asked to intervene.

Potential Fallout — Regulatory, Legal, and Cultural

In Europe

If regulators confirm the allegations, TikTok — already fined €530 million earlier this year for data transfer issues — could face fresh penalties and orders to change practices.

Grindr’s stock reportedly dipped after news of the complaint emerged, suggesting investor sensitivity to data liability.

In the U.S.

This case could fuel ongoing debates about whether TikTok should be banned or restricted on national security and privacy grounds. U.S. lawmakers have repeatedly targeted TikTok over data privacy and potential foreign access concerns.

A story centered on private sexual behavior being tracked by a social platform — especially one with foreign ties — might give new urgency to legislation that empowers regulators to demand transparency and impose meaningful penalties.

This isn’t just headline fodder.

People don’t use apps in a vacuum. Our digital footprints — what we swipe, search, shop, or share — are deeply personal. When companies collect and interlink data across platforms without clear consent, they are not just monetizing behavior; they are building dossiers on human lives.

Right now in the United States, we don’t have strong, unified protections to stop this behavior. That gap is the hole through which our data flows — unregulated, unanalyzed, and often unknown to the user.

Europe may act first on this complaint. But the implications are global — and urgent. If Americans want real privacy protection, it’s going to take more than scrolling past another consent pop-up. It’s going to take laws that make companies accountable for every byte of what they collect — and every way they use it.